Madrid, June 14 2004 - According to data from PandaLabs, the Zafi.B worm
-first detected last weekend- is now spreading widely around the world.
Although the number of incidents caused by this malicious code is not
alarming, the extent to which it has spread geographically has increased the
risk of computers being infected by Zafi.B.

Zafi.B spreads, using its own SMTP engine, via e-mail to addresses that it
finds in infected computers in files with the following extensions: htm,
wab, txt, dbx, tbb, asp, php, sht, adb, mbx, eml and pmr.

Messages carrying Zafi.B have variable characteristics and can be written in
various languages including: English, French, Spanish, German or Italian.
For more details on the e-mails carrying Zafi.B, go to Panda Software's
Virus Encyclopedia at: http://www.pandasoftware.com/virus_info/encyclopedia/

If users run the file attached to the message an Internet Explorer window
opens and tries to connect to www.google.com or www.microsoft.com. It also
enters several keys in the Window Registry.

Zafi.B copies itself to the infected computer in two files with random
names. It also creates infected files called "Total Commander 7.0
full_install.exe" or "winamp 7.0 full_install.exe"- in directories with
names including the words "share" or "upload".

The worm continually searches for memory process with the strings "regedit",
"task" or "msconfig" and on finding them it terminates them. It also looks
for directories that could contain antivirus programs in order to overwrite
all executable files with its own code.

To prevent incidents involving Zafi.B, Panda Software advises users to take
precautions and update their antivirus software. Panda Software has made the
corresponding updates available to its clients to detect and disinfect this
new malicious code.

In addition, users can scan their computers online for free with the
ActiveScan solution, available on the company's web page at:
http://www.pandasoftware.com.

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.

The worm continually searches for memory process with the strings "regedit",
"task" or "msconfig" and on finding them it terminates them. It also looks
for directories that could contain antivirus programs in order to overwrite
all executable files with its own code

wow, that is some evil programming_________________You've Been Deleted
CCSP WebsiteMember of The ASAP Since 2004

Madrid, June 11 2004 - This week's report on viruses and intrusions will
deal with three worms: Plexus.B, Korgo.H and Korgo.I, and the Trojan
Downloader.GK.

Plexus.B is a variant that bears a lot of similarities to the original worm
and uses various means of propagation. It can enter computers directly from
the Internet by exploiting the LSASS Windows vulnerability and it can send
itself as attachment to an e-mail message. It is also designed to spread
across networks and using the file-sharing program (P2P) KaZaA.

Even though Plexus.B can only directly enter computers running Windows XP or
2000, it can still affect other Windows platforms. In these cases however,
it needs the user to execute the infected file.

Plexus.B modifies the Windows host file, overwriting its content. In this
way, it prevents the user from accessing the website of a well-known
antivirus company.

Korgo.H and Korgo.I are two new members of this prolific family of worms
that exploit the Windows LSASS vulnerability. By using this operating system
flaw, they spread across the Internet and automatically enter computers.
Like Plexus.B, the two variants of Korgo also affect all Windows platforms,
although they only automatically infect systems running XP and 2000.

Once they install themselves on a computer, Korgo.H and Korgo.I open several
TCP ports and wait to receive a file to run on the infected computer. To
this end, they also try to connect to several IRC servers.

Finally, Downloader.GK is a Trojan that downloads and runs two adware
programs (Adware/BetterInet and Adware/SearchCentrix) on the infected
computer. It doesn't spread on its own, but is downloaded from certain web
pages when the user accepts the installation of a specific ActiveX control.

- P2P (Peer to peer): A program -or network connection- used to offer
services via the Internet (usually file sharing), which viruses and other
types of threats can use to spread. Some examples of this type of program
are KaZaA, Emule, eDonkey, etc.

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.